The amount of time federal agencies have to patch the recent React2Shell vulnerability has decreased significantly.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-55182 — a vulnerability impacting a popular open-source tool built into thousands of widely used digital products — to its Known Exploited Vulnerabilities catalog late last week, giving federal agencies until December 26 to patch the bug.
The date is now Friday. A spokesperson for CISA confirmed the date change and noted that CISA wanted federal agencies to “check for signs of potential compromise on all internet accessible REACT instances after applying mitigations.”
CISA’s patch deadlines are often an indicator of a bug’s severity for the industry in general. React2Shell affects React Server Components, a tool originally created for Facebook and now embedded in 50 million websites and products built by countless major companies.
Since December 3, cybersecurity defenders have scrambled to patch CVE-2025-55182 due to the wide use of React Server Components.
Over the last week, defenders have seen government-backed hackers from China and North Korea exploiting the bug alongside an array of cybercriminal groups.
Palo Alto Networks’ Unit 42 published a new advisory on Wednesday evening showing more than 50 organizations have been impacted by breaches sourced back to CVE-2025-55182.
The impacted organizations are in the U.S. as well as Asia, South America and the Middle East. Hackers are targeting financial services institutions, higher education, the tech industry, all levels of government and media organizations.
Unit 42 added that in addition to previously identified Chinese malware strains like Snowlight and Vshell, they are now seeing other malware used including NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell.
Justin Moore, a senior official at Unit 42, told Recorded Future News that researchers have confirmed cases where attackers used CVE-2025-55182 to breach networks.
“We have observed opportunistic targeting and automated scripts for the installation of cryptominers and botnets, targeting AWS configuration keys, and more targeted installation of numerous robust backdoors previously associated with nation state affiliated actors,” Moore said.
Unit 42 also confirmed previous reporting by cybersecurity firm Sysdig that North Korean hackers are exploiting the bug to deliver malware and facilitate cryptocurrency theft.
Unit 42 added that it observed some hackers exploiting the bug using BPFDoor, a Linux backdoor attributed to a China-linked threat group known as Red Menshen.
The group was previously accused of targeting the telecommunications, finance and retail sectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia and Egypt. Unit 42 tracked several other backdoors and strains of malware used in attacks.
Other incident responders said they are now seeing low-skill, opportunistic abuse of the vulnerability across a variety of sectors.
Christiaan Beek, senior director of threat intelligence at Rapid7, said the company is witnessing cryptocurrency miners and Mirai botnet deployments exploiting the bug. He added that there are indicators linking the vulnerability’s exploitation to tooling previously used by ransomware groups.
Researchers at CyCognito shared data that showed media organizations had an inordinate amount of externally exposed assets running vulnerable React Server Components affected by CVE-2025-55182.
The company said news outlets, broadcast television stations, cable and satellite companies and more were exposed, likely because most media organizations use React in their frontend stacks.
“They rely heavily on server-rendered frameworks such as Next.js to run public entry points like homepages, article and video pages, section fronts, search results and campaign microsites,” the company told Recorded Future News.
“In many of these applications, React Server Components are used for server side data fetching, layout composition and streaming partial page updates. That puts the vulnerable react-server-dom-* packages directly in the request path on exposed web assets.”
The company also found the manufacturing, technology and hospitality industries as having significant exposure to CVE-2025-55182.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
